Stores Grapple With Cyber Attacks

NEW YORK — When the CEO of a $2.4 billion company calls cyber security an “Air Force One emergency,” you know the threat is serious.

Speaking at a recent event in New York, incoming Saks Fifth Avenue President Marigay McKee voiced the concern gripping the U.S. retail industry about cyber hackers, following recent breaches at Target and Neiman Marcus.

Never before have retailers been so invested in firming up their security networks to protect customers’ personal and financial data.

“It’s been a rude awakening. We are putting measures in place to prevent that happening [at Saks],” McKee said, though she added that safeguarding against fraud and cyber attacks has always been at the forefront of retailers’ minds.

Target has admitted that in addition to the roughly 40 million debit and credit cards impacted in its breach over the holidays, an extra 70 million personal data files were compromised. The second batch of stolen information includes names, mailing addresses, phone numbers or email addresses.

Details recently released by security firm IntelCrawler said the breach was the result of malware out of Russia that infected Target’s payment system and possibly impacted other retailers’ systems. The reports suggest that the malware — written by a Russian teenager — enabled the perpetrators to scrape the data from card readers in the stores.

Neiman Marcus reported a similar security attack in early January and has faced backlash amid suggestions the retailer became aware of the incident late last year.

A Neiman Marcus spokesperson declined to comment as the company is in the middle of a criminal and forensics investigation. The department store is working with the U.S. Secret Service to determine the size and cause of the breach, said to affect millions of people. A Target spokesperson also declined to comment.

Chris Gray, director of the risk and compliance practice at Denver-based Accuvant, an information security firm, said more than 12 retail firms have yet to disclose breaches of their payment systems.

“This is the largest consolidated effort to compromise retailers’ payment systems at once,” he said, adding that at least three more major chains, as well as a slew of smaller stores, could be involved. “We don’t know how big and far-reaching this will go.”

Retailers often are reluctant to report incursions out of concern it could hurt their businesses. Target and JCPenney waited more than two years to admit that they were victims of cyber attacks in 2007, and customer loyalty and sales suffered as a result. In January 2012, Zappos.com revealed it suffered a breach that compromised customer information on the company’s internal network and systems.

A number of major footwear retailers declined to comment on the matter last week.

Jim Sluzewski, Macy’s corporate spokesperson, said, “We are very aware of the issues at Target and Neiman Marcus and we have no reason to believe that our payment system has been affected. The privacy and security of customers’ information is a top concern. We continue to very closely monitor our systems.”

Gray said he expects the hackers responsible for the wave of attacks began testing a method to infect thousands of POS systems as early as January 2013.

“There is evidence that the hackers had been test-driving on smaller venues before they released it into the market before the big spend time over the holiday season,” Gray said, noting that the hackers infected Target’s point-of-sale systems before accessing the back-end server to obtain customers’ personal and financial information.

Target’s security team has remained tight-lipped about whether the company implemented security measures recommended by Visa Inc. last year.

Visa issued alerts in April and August about a surge in cyber attacks on retailers, noting how the attacks were launched and offering advice on thwarting them.

Robert Passikoff, president at Brand Keys, said Target’s operations and reputation will remain under pressure as the situation unfolds. “Target announced they were going to take a charge due to the cost of the breach, but if you looked at their annual report they recognized that this was going to be an ongoing issue and situation. This is not a one-time earnings event,” he said.

Like many industry experts, Passikoff said he hopes the recent attacks will spark a push by U.S. Congress to implement tighter cyber security laws and encourage investment in and implementation of credit cards with chips that encrypt data, similar to systems widely used in Europe and Canada.

“The U.S. is five to 20 years behind Europe in terms of the embedded chip system that completely changes the interaction between customer and merchant,” he said.

On Jan. 21, the National Retail Federation urged Congress to transition to more secure and advanced credit and debit cards in the wake of recent international cyber attacks and threats.

Target CEO Gregg Steinhafel also has urged retailers and banks to adopt chip-based credit card technology, despite the retailer scrapping a $40 million, three-year program mapping out a move to the more secure payment system a decade ago.

As insiders push for new security measures, experts said the thefts are only likely to increase.

“The situation is going to get worse before it gets better,” said Avivah Litan, a security analyst for Stamford, Conn.-based Gartner, an information technology research firm. “The criminals will go quiet for a while. They know they can come back, so why wouldn’t they? As we see more breaches, people will be scared of shopping. Target already has begun to close stores and lay off employees.”

On Jan.22, the retailer said it intends to cut 475 jobs globally while leaving an additional 700 open positions unfilled.

Peter Singer, director of the Center for 21st Century Security & Intelligence and senior fellow in the Foreign Policy program at The Brookings Institution, said the risk of attack is ongoing, with nine new pieces of malware found every second.

“Companies need to understand there is no such thing as 100 percent security, and anyone claiming they can offer you that is a huckster,” Singer said. “It’s more about building best practices of behavior inside your firm and focusing on resilience, not merely paying someone to create higher walls for you.”